Apparatus and measurement method for identifying network devices

ABSTRACT

An apparatus for identifying network devices comprises a data acquisition unit that receives data from a multiplicity of network devices. It also comprises an interpretation unit that extracts identification data from the data and determines which of the multiplicity of network devices has sent the received data. A similarity of measured data of a physical clock to a predefined pattern and/or to previously measured data of the physical clock is analysed as a first criterion of an association of received data. In addition, at least one further criterion of an association of received data can be analysed among the identification data.

TECHNICAL FIELD

The invention relates to an apparatus and a measurement method foridentifying network devices in a communications network.

BACKGROUND ART

A plurality of mobile devices can use a shared network connection byemploying tethering. This is sub-optimum for the network operator. To beable to prevent this, however, the network operator must be able todetect such tethering.

In addition, for official duties it is sometimes necessary to monitordata connections to network devices. The legal framework, however,allows only targeted monitoring of individual data streams to specificnetwork devices. Blanket monitoring is not permitted. For this purpose,it is necessary to identify reliably data streams emanating fromindividual network devices.

In order to address the two aforementioned problems, document U.S. Pat.No. 9,608,904 B2 discloses a method for identifying network devices.This document mentions a multiplicity of different criteria that can beused to identify different network devices. The disadvantage with themethod disclosed in this document, however, is that frequent incorrectdetections arise as a result of the numerous data sources.

In addition, the document “Remote physical device fingerprinting”,Tadayoshi Kohno, Andre Broido, K. C. Claffy, IEEE Transactions onDependable and Secure Computing, Vol. 2, no. 2, pp. 93-108, May 2005,discloses using a clock skew as a criterion for identifying networkdevices. Using solely this method is disadvantageous because it does notreliably allow identification.

Thus, there is a need to provide an apparatus, and a measurement methodfor reliable identification of network devices in a communicationsnetwork.

SUMMARY OF THE INVENTION

According to a first aspect of the invention, an apparatus according tothe invention for identifying network devices in a communicationsnetwork comprises a data acquisition unit that is designed to receivedata from a multiplicity of network devices in the communicationsnetwork. In addition, the apparatus comprises an interpretation unitthat is designed to extract identification data from the data and to usesaid identification data to determine which of the multiplicity ofnetwork devices has sent the received data. The interpretation unit isdesigned here in particular to analyse as a first criterion of anassociation of received data with a specific network device, asimilarity of measured data of a physical clock of the network devicesto a predefined pattern and/or to previously measured data of thephysical clock of the network devices.

In addition, the interpretation unit can preferably be designed toanalyse at least one further criterion of an association of receiveddata with a specific network device among the identification data. Thisachieves that individual network devices within the communicationsnetwork can be identified with a minimum probability of incorrectdetections.

The interpretation unit is advantageously and preferably designed todetermine for each network device identified on the basis of thecriteria a confidence value for each criterion. This allows a user ofthe apparatus to review how probable is the detection of the networkdevices.

The interpretation unit is also advantageously and preferably designedto determine the confidence value for each of the criteria byascertaining a similarity or a match of the analysed criterion to anideal value of the analysed criterion in question. This allows theconfidence value to be ascertained particularly accurately.

The apparatus also advantageously and preferably comprises a displaydevice. The identified network devices and, for each identified networkdevice, the confidence value for each analysed criterion, are displayedon the display device. A user of the apparatus can thereby see at aglance which different network devices have been identified and howgreat is the probability that this identification is correct.

The interpretation unit is advantageously and preferably also designedto determine for each identified network device an overall confidencevalue from the confidence values all the analysed criteria. It isthereby made even easier for the user of the apparatus to recognizewhether or not the identification of a network device is reliable.

The interpretation unit is advantageously and preferably also designedto determine the overall confidence value by forming the arithmeticmean, by forming the median, by forming the geometric mean, by formingthe harmonic mean, by forming the quadratic mean or by forming the cubicmean from the confidence values of the individual criteria. This ensuresthat the overall confidence value is determined particularly accurately.

In another advantageous and preferred embodiment, the apparatus has adisplay device that displays the identified network devices and also theconfidence values and/or the overall confidence value. This makes itparticularly easy for the user to recognise which network devices havebeen identified with what probability.

The interpretation unit is also advantageously and preferably designedto detect an association of received data with a specific, alreadyidentified network device when all the analysed criteria exhibit asimilarity above a predefined similarity threshold value or exhibit amatch. Alternatively, this can already be detected when a majority ofall the analysed criteria exhibit a similarity above a predefinedsimilarity threshold value or exhibit a match. As another alternative,this can be detected already when at least a predefined number ofanalysed criteria exhibit a similarity above a predefined similaritythreshold value or exhibit a match. The thresholds at which detection ofan already known network device is made can thereby be set veryprecisely.

In another advantageous and preferred embodiment, the interpretationunit can also be designed to identify a new network device when all theanalysed criteria exhibit a similarity below the predefined similaritythreshold value or do not exhibit a match with any of the alreadyidentified network devices. Alternatively, this can already be detectedwhen a majority of all the analysed criteria do not exhibit a similarityabove a predefined similarity threshold value or do not exhibit a match.As another alternative, a new network device can be detected when atmost a predefined number of analysed criteria exhibit a similarity abovea predefined similarity threshold value or exhibit a match. Theconditions under which a new network device is identified can hence alsobe set very precisely.

According to another advantageous and preferred embodiment, theinterpretation unit is also preferably designed to analyse as the atleast one further criterion a similarity of IP fragment identifiers,and/or a similarity of TCP timestamps, and/or a match of IMSI numbers,and/or a match of IMEI numbers, and/or a match of ISDN numbers, and/or amatch of mobile device identifiers in HTTP traffic, and/or a similarityof advertising identifiers, and/or a match of tracking cookies in HTTPtraffic, and/or a similarity of DNS profiles, and/or a similarity ofuser agent patterns, and/or activity phases and inactivity phases withinthe data from network devices. It is thus possible to draw on numerousdifferent data sources in order to identify network devices. Thisachieves a particularly high probability of the correct identification.

The interpretation unit is advantageously and preferably designed toanalyse at least two further criteria, preferably at least three furthercriteria, more preferably at least four further criteria among theidentification data. This can further increase the probability of acorrect identification.

The network devices to be identified are advantageously and preferablymulti-stack network devices. Alternatively, the network devices to beidentified are arranged within the communications network behind aNetwork Address Translation (NAT) router from the viewpoint of theapparatus. It is hence possible to identify even these network devices,which are particularly difficult to identify.

The network devices advantageously and preferably use different networkaddresses at different times. Even these difficult-to-identify networkdevices can be identified by the apparatus according to the invention.

The identified network devices preferably run programs. The programseach produce program data as part of the data sent by the networkdevice. The interpretation unit is then designed to use activity phasesand inactivity phases within the data from a network device todistinguish between program data from different programs of the networkdevice. It is thereby possible to infer a user behaviour of a user ofthe network device.

The interpretation unit is preferably designed in this case to identifythe programs of the network devices on the basis of the program data. Itis hence possible to draw particularly accurate conclusions about theuser behaviour.

A measurement method according to a second aspect of the invention isused to identify network devices in a communications network. The methodcomprises the following steps: receiving data from a multiplicity ofnetwork devices in a communications network; extracting identificationdata from the data; and using said identification data to determinewhich of the multiplicity of network devices has sent the received data.In this process, a similarity of measured data of a physical clock ofthe network devices to a predefined pattern and/or to previouslymeasured data of the physical clock of the network devices is analysedas a first criterion of an association of received data with a specificnetwork device.

Preferably at least one further criterion of an association of receiveddata with a specific network device is analysed among the identificationdata. This achieves that individual network devices within thecommunications network can be identified with a minimum probability ofincorrect detections.

BRIEF DESCRIPTION OF THE DRAWINGS

Exemplary embodiments of the invention are described below by way ofexample only, but not for limitation with reference to the drawing,which shows an advantageous exemplary embodiment of the invention, andin which:

FIG. 1 is a block diagram of a first exemplary embodiment of theapparatus according to the invention;

FIG. 2 is a detailed view of the first exemplary embodiment of theapparatus according to the invention;

FIG. 3 is a first graph of an identification option of a secondexemplary embodiment of the apparatus according to the invention;

FIG. 4 is a second graph of the identification option of the secondexemplary embodiment of the apparatus according to the invention;

FIG. 5 is a third graph of the identification option of the secondexemplary embodiment of the apparatus according to the invention;

FIG. 6 is a flow diagram of an exemplary embodiment of the measurementmethod according to the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The design and operation of various exemplary embodiments of theapparatus according to the invention, in this case in the form of ameasurement apparatus 1, are explained with reference to FIG. 1 to FIG.5. Lastly, the function of an exemplary embodiment of the measurementmethod according to the invention is illustrated with reference to FIG.6. In some cases, identical elements have not been shown and describedagain in similar illustrations.

FIG. 1 shows a first exemplary embodiment of the measurement apparatus 1according to the invention. The measurement apparatus 1 is coupled to adata connection in a communications network 7. The communicationsnetwork 7 comprises a plurality of network devices 2, 3, 4, 5. In thisembodiment, the network devices 2, 3, 4 are connected to a NetworkAddress Translation (NAT) router 6. Also connected to the router 6 isthe network device 5. The measurement apparatus 1 is coupled to acommunications connection between the router 6 and the network device 5.In the example shown here, one of the network devices 2, 3, 4 is meantto be identified while it is sending data that is being routed to thenetwork device 5 by the router 6.

For this purpose, the measurement apparatus 1 performs monitoring of thedata sent by the network devices 2, 3, 4 to the network device 5. Inparticular, the data is searched for identification data. Theidentification data is then analysed. It is determined on the basis ofthe identification data, which of the network devices 2, 3, 4 has sentthe corresponding data. Details of this analysis are provided withreference to the subsequent FIG. 2.

FIG. 2 shows a detailed view of the measurement apparatus 1 from FIG. 1.The measurement apparatus 1 comprises an acquisition unit 10, which isconnected to an interpretation unit 11. The interpretation unit 11 is inturn connected to a display device 12, said display device constitutingan optional component.

The acquisition unit 10 receives data from the network devices 2, 3, 4within the communications network 7. This data is passed from theacquisition unit to the interpretation unit 11. The interpretation unit11 extracts identification data from the received data. Theinterpretation unit 11 uses this identification data to identify thedifferent network devices 2, 3, 4.

In particular in this process, the interpretation unit uses as a firstcriterion of an association of received data with a specific networkdevice, a similarity of measured data of a physical clock of the networkdevices 2, 3, 4 to a predefined pattern and/or to previously measureddata of the physical clock of the network devices 2, 3, 4. In order toincrease the accuracy of the analysis, the interpretation unitpreferably uses here at least one further criterion of an association ofreceived data with a specific network device among the identificationdata.

It is possible to use here as the further criteria a similarity of IPfragment identifiers, and/or a similarity of TCP timestamps, and/or amatch of IMSI numbers, and/or a match of IMEI numbers, and/or a match ofISDN numbers, and/or a match of mobile device identifiers in HTTPtraffic, and/or a similarity of advertising identifiers, and/or a matchof tracking cookies in HTTP traffic, and/or a similarity of DNSprofiles, and/or a similarity of user agent patterns. It is alsopossible to use activity phases and inactivity phases in the datatransmission, as illustrated with reference to FIG. 3-5. Theinterpretation unit can here analyse two, three, four, five or anynumber of further criteria of this type.

A match of specific data to a specific network device 2, 3, 4 isestablished by the interpretation unit when a defined number of analysedcriteria exhibit a similarity above a predefined similarity thresholdvalue or exhibit a match. This predetermined number may be the majorityof all the analysed criteria or even the totality of all the analysedcriteria. Thus this process involves a comparison between pre-measuredcriteria of the individual network devices and the currently measuredcriteria.

If the currently measured criteria differ from the previously measuredcriteria, then a new network device is identified. This is the case whena certain number of analysed criteria do not exhibit a similarity or amatch with previously measured criteria. This defined number may be thetotal number of criteria, the majority of the criteria or even a definedminority of the criteria.

In particular, the measurement apparatus is able even network devicesthat are multi-stack network devices or that are located behind the NATrouter from the viewpoint of the measurement apparatus are identified.It is also possible using the measurement apparatus to identify networkdevices that use different network addresses at different times.

The apparatus, in particular the interpretation unit 11, additionallydetermines a confidence value for each individual analysed criterion.This value equals the probability associated with the correspondingnetwork device having been identified correctly. Besides the identifiednetwork devices 2, 3, 4, the corresponding confidence values of theindividual criteria can additionally be displayed on the optionaldisplay device 12. In addition, the interpretation unit 11 can determinefrom the individual confidence values of the criteria for eachidentified network device 2, 3, 4 an overall confidence value, andoptionally display this value likewise on the display device 12. Variousaveraging techniques can be used to determine the overall confidencevalue. In particular, an arithmetic mean, a median, a geometric mean, aharmonic mean, a quadratic mean or a cubic mean can be used for thispurpose.

FIG. 3 shows the volume of data transmitted by a network device overtime. The figure shows activity phases 20, 22 separated by an inactivityphase 21. In this diagram, there is no transmitted data whatsoeverplotted during the inactivity phase. This is merely the ideal case,however. In reality, even when not being actively operated by a user,programs or applications of the network devices transmit status data,resulting in a continuous low level of data traffic. Such over-the-topdata can be detected by using a threshold value. This over-the-top datais then not used to determine activity phases and inactivity phases. Inother words, while only over-the-top data is detected below a thresholdvalue, this is considered to be an inactivity phase.

FIG. 4 also shows a time threshold value T. This time threshold value isused to identify an inactivity phase 21. Since no further datatransmission, or more precisely no further data transmission above theaforementioned threshold value, has occurred in the past activity phase20 during a time period T, the time period from the last datatransmission in the activity phase 20 until the start of the next datatransmission in the activity phase 22 is deemed to be the inactivityphase 21.

Although in the case previously described, only activity phases andinactivity phases within the data transmission of a single networkdevice are analysed, it is equally possible to analyse the entire datatraffic in the same manner. Conclusions about the data-transmittingnetwork devices can be made similarly on the basis of patterns in theactivity phases and inactivity phases.

FIG. 5 again shows the data volume over time. This figure again showsonly the data from one network device. The diagram corresponds to thediagram of FIG. 3. A first device session 30 is associated with thefirst activity phase 20. A second device session 31 is associated withthe second activity phase 22. The device sessions 30, 31 originate fromthe same network device, as was ascertained previously. They canoriginate from an identical program or different programs of this onenetwork device. More detailed identification is possible, for example,using deep packet inspection (DPI), in which the data in the individualpackets is analysed more closely.

It is hence possible to analyse user behaviour on the basis of theinformation about the programs used. In particular, it is possible todetermine the form of use currently being made by the user of thenetwork device.

Finally, FIG. 6 shows a flow diagram of an exemplary embodiment of themeasurement method according to the invention. In a first step 100, datais received from a multiplicity of network devices in the communicationsnetwork. In a second step 101, identification data is extracted from thedata. In a third and final step 102, the identification data is used todetermine which of the multiplicity of network devices has sent thereceived data. In this step, a similarity of measured data of a physicalclock of the network devices to a predefined pattern and/or topreviously measured data of the physical clock of the network devices isanalysed as a first criterion of an association of received data with aspecific network device. In addition, a second criterion is preferablyanalysed.

The invention is not limited to the presented exemplary embodiment. Thenetwork devices may be mobile terminal devices such as mobile phones,but may also be computers such as PCs or the like. All the featuresdescribed above or shown in the figures can advantageously be combinedwith one another in any way without departing from the invention. Withinthis application “designed to” can also mean “configured to” or “havingthe functionality to”.

While various embodiments of the present invention have been describedabove, it should be understood that they have been presented by way ofexample only, and not limitation. Numerous changes to the disclosedembodiments can be made in accordance with the disclosure herein withoutdeparting from the spirit or scope of the invention. Thus, the breadthand scope of the present invention should not be limited by any of theabove described embodiments. Rather, the scope of the invention shouldbe defined in accordance with the following claims and theirequivalents.

Although the invention has been illustrated and described with respectto one or more implementations, equivalent alterations and modificationswill occur to others skilled in the art upon the reading andunderstanding of this specification and the annexed drawings. Inaddition, while a particular feature of the invention may have beendisclosed with respect to only one of several implementations, suchfeature may be combined with one or more other features of the otherimplementations as may be desired and advantageous for any given orparticular application.

What is claimed is:
 1. An apparatus for identifying network devices in acommunications network without using explicit identification informationof the network devices, the apparatus comprising: a processor; andmemory comprising software, which when executed by the processor,implements: a data acquirer configured to receive data from a pluralityof network devices in the communications network; and an interpreterconfigured to: extract identification data from the data, theidentification including information from which the identity of thenetwork devices may be inferred; analyse the extracted identificationdata by: analysing as a first criterion of a group of criteria anassociation of the identification data with one or more specific networkdevices to identify at least one of a similarity of measured data of aphysical clock of the network devices to a predefined pattern and/or topreviously measured data of the physical clock of the network devices,and analysing one or more further criterion of the group of criteria toidentify additional associations of the identification data with the oneor more specific network devices based on traffic information;determine, based on the results of the analyzing of the first criterionand the one or more further criterion, which of the plurality of networkdevices has sent the received data; evaluating the results of theanalysing to provide feedback to a user by: determining, for eachnetwork device identified on the basis of the criteria, a separateconfidence value for each criterion, determining for each identifiednetwork device an overall confidence value from the confidence values ofall the analysed criteria, and determining the overall confidence valueby forming an arithmetic mean, by forming a median, by forming ageometric mean, by forming a harmonic mean, by forming a quadratic mean,or by forming a cubic mean from the confidence values of the individualcriteria; and providing the overall confidence value to the user.
 2. Theapparatus according to claim 1, wherein the interpreter is configured todetermine the separate confidence value for each of the criteria byascertaining a similarity or a match of the analysed criterion to anideal value of the analysed criterion in question.
 3. The apparatusaccording to claim 1, wherein the apparatus also comprises a displaydevice, wherein the display device is configured to display theidentified network devices, and wherein the display device is configuredto display the overall confidence value.
 4. The apparatus according toclaim 1, wherein the apparatus comprises a display device, wherein thedisplay device is configured to display the identified network devices,and wherein the display device is configured to display for eachidentified network device separate confidence value for each criterionor the overall confidence value for each analysed criterion.
 5. Theapparatus according to claim 1, wherein the interpreter is configured todetect an association of received data with a specific, alreadyidentified network device: when all the analysed criteria exhibit asimilarity above a predefined similarity threshold value or exhibit amatch, or when a majority of all the analysed criteria exhibit asimilarity above a predefined similarity threshold value or exhibit amatch, or when at least a predefined number of analysed criteria exhibita similarity above a predefined similarity threshold value or exhibit amatch.
 6. The apparatus according to claim 5, wherein the interpreter isconfigured to identify a new network device when all the analysedcriteria exhibit a similarity below a predefined similarity thresholdvalue or do not exhibit a match with any of the already identifiednetwork devices, when a majority of all the analysed criteria do notexhibit a similarity above a predefined similarity threshold value or donot exhibit a match, or when a predefined number of analysed criteriaexhibit a similarity above a predefined similarity threshold value orexhibit a match.
 7. The apparatus according to claim 1, wherein theinterpreter is configured to analyse one or more additional criterionselected from: a similarity of IP fragment identifiers, a similarity ofTCP timestamps, a match of IMSI numbers, a match of IMEI numbers, amatch of ISDN numbers, a match of mobile device identifiers in HTTPtraffic, a similarity of advertising identifiers, a match of trackingcookies in HTTP traffic, a similarity of DNS profiles, a similarity ofuser agent patterns, or activity phases and inactivity phases within thedata from network devices.
 8. The apparatus according to claim 1,wherein the interpreter is configured to analyse at least two additionalcriteria among the identification data.
 9. The apparatus according toclaim 1, wherein each network device identified comprises multi-stacknetwork devices, or wherein each network device identified is arrangedwithin the communications network behind at least one NAT router fromthe viewpoint of the apparatus.
 10. The apparatus according to claim 1,wherein the plurality of network devices use different network addressesat different times.
 11. The apparatus according to claim 2, wherein eachnetwork device identified runs programs, wherein the programs eachproduce program data as part of the data sent by the network device, andwherein the interpreter is configured to use activity phases andinactivity phases within the data from a network device to distinguishbetween program data from different programs of the network device. 12.The apparatus according to claim 11, wherein the interpreter isconfigured to identify the programs of the network devices on the basisof the program data.
 13. A measurement method for identifying networkdevices in a communications network without using explicitidentification information of the network devices, the methodcomprising: receiving data from a plurality of network devices in thecommunications network; and extracting identification data from thedata, the identification including information from which the identityof the network devices may be inferred; analysing the extractedidentification data by: analysing as a first criterion of a group ofcriteria an association of the identification data with one or morespecific network devices to identify at least one of a similarity ofmeasured data of a physical clock of the network devices to a predefinedpattern and/or to previously measured data of the physical clock of thenetwork devices, and analysing one or more further criterion of thegroup of criteria to identify additional associations of theidentification data with the one or more specific network devices basedon traffic information; determining, based on the results of theanalyzing of the first criterion and the one or more further criterion,which of the plurality of network devices has sent the received data;evaluating the results of the analysing to provide feedback to a userby: determining, for each network device identified on the basis of thecriteria, a separate confidence value for each criterion, determiningfor each identified network device an overall confidence value from theconfidence values of all the analysed criteria, and determining theoverall confidence value by forming an arithmetic mean, by forming amedian, by forming a geometric mean, by forming a harmonic mean, byforming a quadratic mean, or by forming a cubic mean from the confidencevalues of the individual criteria; and providing the overall confidencevalue to the user.